Sefnit Malware Returns with Sophisticated Version

Sefnit, a malware that made news in January 2014 has returned once again and this time is employing new tactics to malign users' computers, reported Theregister.co.uk on 29th April, 2014.

The infection due to botnet (Sefnit) was spotted in September 2013 which triggered alarms early this year when security pundits warned that millions of machines were expected to be infected by it.

Researchers of Microsoft Malware Protection Center (MMPC) conducted an analysis and disclosed that Sefnit is a malicious programs family that has been used to defraud advertisers by producing rogue ad clicks ever since around 2011.

Sefnit was particularly known for its use in the Tor network to evade detection.

It's not clear how well Tor worked as a C&C channel for authors of Sefnit with slowing down of traffic over the anonymity network chiefly when overcrowded by patrons.

Security experts' reason that Facebook researchers recently scrutinized and discovered that poor performance may explain why a new edition of Sefnit no longer relies on the Tor network.

Interestingly, the new edition has been identified by experts running with the social network while tapering in the wild and swells via more conventional means.

Researchers of Facebook and Microsoft have deeply studied the latest version of Sefnit, nicknamed Sefnit.BW, and learned that this Sefnit version is also being used for click-fraud as well as Litecoin mining. The malware opens a backdoor connection to a number of tainted domains where additional malware can be uploaded to contaminated machines.

Experts say that currently Sefnit malware is operating without using Tor and establishing direct connections via a safe Plink connection with one or more C&C servers. The malware functions as a pair of executables initially concealing itself as a 'Windows Theme' system file.

The use of Plink further points out that Sefnit authors have a tendency to repurpose genuine software to accomplish their goals.

Such recurrence of sample of a known malware has been witnessed before also. Often successful infections are repackaged and customized by their original authors or adopted by other groups of cyber crooks for new attacks as Zeus Trojan is the most apt example of this kind of malware.